package com.datastax.oss.driver.internal.core.ssl;

import java.io.IOException;
import java.io.InputStream;
import java.math.BigInteger;
import java.net.InetSocketAddress;
import java.net.SocketAddress;
import java.net.SocketException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.X509Certificate;
import java.util.Optional;
import java.util.concurrent.LinkedBlockingQueue;
import java.util.concurrent.TimeUnit;
import java.util.function.Consumer;
import java.util.function.Supplier;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLPeerUnverifiedException;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.SSLSocket;
import javax.net.ssl.TrustManagerFactory;
import org.junit.Assert;
import org.junit.Test;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/datastax/oss/driver/internal/core/ssl/ReloadingKeyManagerFactoryTest.class */
public class ReloadingKeyManagerFactoryTest {
    private static final Logger logger = LoggerFactory.getLogger(ReloadingKeyManagerFactoryTest.class);
    static final Path CERT_BASE = Paths.get(ReloadingKeyManagerFactoryTest.class.getResource(String.format("/%s/certs/", ReloadingKeyManagerFactoryTest.class.getSimpleName())).getPath(), new String[0]);
    static final Path SERVER_KEYSTORE_PATH = CERT_BASE.resolve("server.keystore");
    static final Path SERVER_TRUSTSTORE_PATH = CERT_BASE.resolve("server.truststore");
    static final Path ORIGINAL_CLIENT_KEYSTORE_PATH = CERT_BASE.resolve("client-original.keystore");
    static final Path ALTERNATE_CLIENT_KEYSTORE_PATH = CERT_BASE.resolve("client-alternate.keystore");
    static final BigInteger ORIGINAL_CLIENT_KEYSTORE_CERT_SERIAL = convertSerial("7372a966");
    static final BigInteger ALTERNATE_CLIENT_KEYSTORE_CERT_SERIAL = convertSerial("e50bf31");
    static final Path TMP_CLIENT_KEYSTORE_PATH;
    static final Path CLIENT_TRUSTSTORE_PATH;
    static final String CERTSTORE_PASSWORD = "changeit";

    private static TrustManagerFactory buildTrustManagerFactory() {
        try {
            InputStream newInputStream = Files.newInputStream(CLIENT_TRUSTSTORE_PATH, new OpenOption[0]);
            try {
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(newInputStream, CERTSTORE_PASSWORD.toCharArray());
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                trustManagerFactory.init(keyStore);
                if (newInputStream != null) {
                    $closeResource(null, newInputStream);
                }
                return trustManagerFactory;
            } catch (Throwable th) {
                if (newInputStream != null) {
                    $closeResource(null, newInputStream);
                }
                throw th;
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    private static SSLContext buildServerSslContext() {
        try {
            SSLContext sSLContext = SSLContext.getInstance("SSL");
            InputStream newInputStream = Files.newInputStream(SERVER_TRUSTSTORE_PATH, new OpenOption[0]);
            Throwable th = null;
            try {
                try {
                    KeyStore keyStore = KeyStore.getInstance("JKS");
                    keyStore.load(newInputStream, CERTSTORE_PASSWORD.toCharArray());
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(keyStore);
                    if (newInputStream != null) {
                        $closeResource(null, newInputStream);
                    }
                    InputStream newInputStream2 = Files.newInputStream(SERVER_KEYSTORE_PATH, new OpenOption[0]);
                    try {
                        KeyStore keyStore2 = KeyStore.getInstance("JKS");
                        char[] charArray = CERTSTORE_PASSWORD.toCharArray();
                        keyStore2.load(newInputStream2, charArray);
                        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                        keyManagerFactory.init(keyStore2, charArray);
                        if (newInputStream2 != null) {
                            $closeResource(null, newInputStream2);
                        }
                        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), new SecureRandom());
                        return sSLContext;
                    } catch (Throwable th2) {
                        if (newInputStream2 != null) {
                            $closeResource(null, newInputStream2);
                        }
                        throw th2;
                    }
                } finally {
                }
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    $closeResource(th, newInputStream);
                }
                throw th3;
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    @Test
    public void client_certificates_should_reload() throws Exception {
        Files.copy(ORIGINAL_CLIENT_KEYSTORE_PATH, TMP_CLIENT_KEYSTORE_PATH, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.COPY_ATTRIBUTES);
        LinkedBlockingQueue linkedBlockingQueue = new LinkedBlockingQueue(1);
        SSLServerSocket sSLServerSocket = (SSLServerSocket) buildServerSslContext().getServerSocketFactory().createServerSocket();
        sSLServerSocket.bind(new InetSocketAddress(0), 1);
        sSLServerSocket.setUseClientMode(false);
        sSLServerSocket.setNeedClientAuth(true);
        Thread thread = new Thread(() -> {
            while (true) {
                try {
                    logger.info("Server accepting client");
                    SSLSocket sSLSocket = (SSLSocket) sSLServerSocket.accept();
                    logger.info("Server accepted client {}", sSLSocket);
                    sSLSocket.addHandshakeCompletedListener(handshakeCompletedEvent -> {
                        boolean offer;
                        try {
                            offer = linkedBlockingQueue.offer(Optional.of((X509Certificate[]) handshakeCompletedEvent.getPeerCertificates()));
                        } catch (SSLPeerUnverifiedException e) {
                            offer = linkedBlockingQueue.offer(Optional.empty());
                        }
                        Assert.assertTrue(offer);
                    });
                    logger.info("Server starting handshake");
                    sSLSocket.startHandshake();
                } catch (IOException e) {
                    if ((e instanceof SocketException) && e.getMessage().contains("Socket closed")) {
                        return;
                    } else {
                        logger.info("Server accept error", e);
                    }
                }
            }
        });
        thread.setName(String.format("%s-serverThread", getClass().getSimpleName()));
        thread.setDaemon(true);
        thread.start();
        ReloadingKeyManagerFactory create = ReloadingKeyManagerFactory.create(TMP_CLIENT_KEYSTORE_PATH, CERTSTORE_PASSWORD, Optional.empty());
        TrustManagerFactory buildTrustManagerFactory = buildTrustManagerFactory();
        testClientCertificates(create, buildTrustManagerFactory, sSLServerSocket.getLocalSocketAddress(), () -> {
            try {
                return (Optional) linkedBlockingQueue.poll(10L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }, x509CertificateArr -> {
            Assert.assertEquals(1L, x509CertificateArr.length);
            Assert.assertEquals(ORIGINAL_CLIENT_KEYSTORE_CERT_SERIAL, x509CertificateArr[0].getSerialNumber());
        });
        logger.info("Updating keystore file with new content");
        Files.copy(ALTERNATE_CLIENT_KEYSTORE_PATH, TMP_CLIENT_KEYSTORE_PATH, StandardCopyOption.REPLACE_EXISTING, StandardCopyOption.COPY_ATTRIBUTES);
        create.reload();
        testClientCertificates(create, buildTrustManagerFactory, sSLServerSocket.getLocalSocketAddress(), () -> {
            try {
                return (Optional) linkedBlockingQueue.poll(30L, TimeUnit.SECONDS);
            } catch (InterruptedException e) {
                throw new RuntimeException(e);
            }
        }, x509CertificateArr2 -> {
            Assert.assertEquals(1L, x509CertificateArr2.length);
            Assert.assertEquals(ALTERNATE_CLIENT_KEYSTORE_CERT_SERIAL, x509CertificateArr2[0].getSerialNumber());
        });
        create.close();
        sSLServerSocket.close();
    }

    private static void testClientCertificates(KeyManagerFactory keyManagerFactory, TrustManagerFactory trustManagerFactory, SocketAddress socketAddress, Supplier<Optional<X509Certificate[]>> supplier, Consumer<X509Certificate[]> consumer) throws NoSuchAlgorithmException, KeyManagementException, IOException {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(keyManagerFactory.getKeyManagers(), trustManagerFactory.getTrustManagers(), null);
        SSLSocket sSLSocket = (SSLSocket) sSLContext.getSocketFactory().createSocket();
        logger.info("Client connecting");
        sSLSocket.connect(socketAddress);
        logger.info("Client doing handshake");
        sSLSocket.startHandshake();
        Optional<X509Certificate[]> optional = supplier.get();
        logger.info("Client got its certificate back from the server; closing socket");
        sSLSocket.close();
        Assert.assertNotNull(optional);
        Assert.assertTrue(optional.isPresent());
        logger.info("Client got its certificate back from server: {}", optional);
        consumer.accept(optional.get());
    }

    private static BigInteger convertSerial(String str) {
        BigInteger bigInteger = new BigInteger(Integer.valueOf(str, 16).toString());
        logger.info("Serial hex {} is {}", str, bigInteger);
        return bigInteger;
    }

    private static /* synthetic */ void $closeResource(Throwable th, AutoCloseable autoCloseable) {
        if (th == null) {
            autoCloseable.close();
            return;
        }
        try {
            autoCloseable.close();
        } catch (Throwable th2) {
            th.addSuppressed(th2);
        }
    }

    static {
        try {
            TMP_CLIENT_KEYSTORE_PATH = Files.createTempFile(ReloadingKeyManagerFactoryTest.class.getSimpleName(), null, new FileAttribute[0]);
            CLIENT_TRUSTSTORE_PATH = CERT_BASE.resolve("client.truststore");
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }
}
